ArubaOS: Encrypt credentials in config files

By default, credentials such as RADIUS or TACACS authentication keys, are stored separately from the switch configuration, and are not shown when saved or running configurations are displayed or copied using TFTP or SSH. You can change this behavior using the include-credentials command. This clearly seems to be a security issue, because the displays credentials are unencrypted. You can check the current status using show include-credentials.

HP Switch(config)# show include-credentials
Stored in Configuration         : Yes
Enabled in Active Configuration : Yes
Include ClearPass Keys          : No

If you want to encrypt these credentials, you can use the encrypt-credentials command. This command will encrypt the credentials using either a hardcoded 256 bit key, or you can add a pre-shared key to the command. In each case the switch uses AES256-CBC to encrypt the credeitals, regardless of the provided key.

HP Switch(config)# encrypt-credentials

                      **** CAUTION ****

This will encrypt all passwords and authentication keys.

The encrypted credentials will not be understood by older software versions.
The resulting config file cannot be used by older software versions.
It may also break some of your existing user scripts.

Before proceeding, please save a copy of your current config file, and associate
the current config file with the older software version saved in flash memory.
See “Best Practices for Software Updates” in the Release Notes.

A config file with ‘encrypt-credentials’ may prevent previous software versions
from booting. It may be necessary to reset the switch to factory defaults. To
prevent this, remove the encrypt-credentials command or use an older config file.

Save config and continue [y/n]? y

Status of encrypt-credentials when the pre-shared key has not been set:

HP Switch(config)# show encrypt-credentials

 Encryption    : Disabled
 Pre-shared Key: None

Status of encrypt-credentials when the pre-shared key has been set:

HP Switch(config)# show encrypt-credentials

 Encryption    : Disabled
 Pre-shared Key:
 055d7b3b6bc22d18d29533ba2b549b3991bc23b7cbfc8e5769bdcc9ec748af27

Affected configuration commands are:

  • radius-server
  • tacacs-server
  • key-chain
  • aaa port-access
  • sntp authentication
  • password manager

Now you can include credentials in your config in an encrypted form.